Skip to content

Evidence Artifacts

A collection of evidence artifacts associated to the activity/activities that triggered a security detection.

  • Extends: _entity

Attributes

Section titled “Attributes”

actor

  • Type: actor
  • Requirement: recommended

Describes details about the user/role/process that was the source of the activity that triggered the detection.

api

  • Type: api
  • Requirement: recommended

Describes details about the API call associated to the activity that triggered the detection.

connection_info

Describes details about the network connection associated to the activity that triggered the detection.

container

Describes details about the container associated to the activity that triggered the detection.

database

  • Type: database
  • Requirement: recommended

Describes details about the database associated to the activity that triggered the detection.

databucket

Describes details about the databucket associated to the activity that triggered the detection.

device

  • Type: device
  • Requirement: recommended

An addressable device, computer system or host associated to the activity that triggered the detection.

dst_endpoint

Describes details about the destination of the network activity that triggered the detection.

email

  • Type: email
  • Requirement: recommended

The email object associated to the activity that triggered the detection.

file

  • Type: file
  • Requirement: recommended

Describes details about the file associated to the activity that triggered the detection.

http_request

Describes details about the http request associated to the activity that triggered the detection.

http_response

Describes details about the http response associated to the activity that triggered the detection.

ja4_fingerprint_list

Describes details about the JA4+ fingerprints that triggered the detection.

job

  • Type: job
  • Requirement: recommended

Describes details about the scheduled job that was associated with the activity that triggered the detection.

process

  • Type: process
  • Requirement: recommended

Describes details about the process associated to the activity that triggered the detection.

query

Describes details about the DNS query associated to the activity that triggered the detection.

reg_key win

Describes details about the registry key that triggered the detection.

reg_value win

Describes details about the registry value that triggered the detection.

resources

Describes details about the cloud resources directly related to activity that triggered the detection. For resources impacted by the detection, use Affected Resources at the top-level of the finding.

script

  • Type: script
  • Requirement: recommended

Describes details about the script that was associated with the activity that triggered the detection.

src_endpoint

Describes details about the source of the network activity that triggered the detection.

tls

  • Type: tls
  • Requirement: recommended

Describes details about the Transport Layer Security (TLS) activity that triggered the detection.

url

  • Type: url
  • Requirement: recommended

The URL object that pertains to the event or object associated to the activity that triggered the detection.

user

  • Type: user
  • Requirement: recommended

Describes details about the user that was the target or somehow else associated with the activity that triggered the detection.

win_service win

Describes details about the Windows service that triggered the detection.

data

  • Type: json_t
  • Requirement: optional

Additional evidence data that is not accounted for in the specific evidence attributes. Use only when absolutely necessary.

name

  • Type: string_t
  • Requirement: optional

The naming convention or type identifier of the evidence associated with the security detection. For example, the @odata.type from Microsoft Graph Alerts V2 or display_name from CrowdStrike Falcon Incident Behaviors.

uid

  • Type: string_t
  • Requirement: optional

The unique identifier of the evidence associated with the security detection. For example, the activity_id from CrowdStrike Falcon Alerts or behavior_id from CrowdStrike Falcon Incident Behaviors.

verdict

  • Type: string_t
  • Requirement: optional

The normalized verdict of the evidence associated with the security detection.

verdict_id

  • Type: integer_t
  • Requirement: optional
  • Values:
    • 0 - Unknown: The type is unknown.
    • 1 - False Positive: The verdict for the evidence has been identified as a False Positive.
    • 2 - True Positive: The verdict for the evidence has been identified as a True Positive.
    • 3 - Disregard: The verdict for the evidence is that is should be Disregarded.
    • 4 - Suspicious: The verdict for the evidence is that the behavior has been identified as Suspicious.
    • 5 - Benign: The verdict for the evidence is that the behavior has been identified as Benign.
    • 6 - Test: The evidence is part of a Test, or other sanctioned behavior(s).
    • 7 - Insufficient Data: There is insufficient data to render a verdict on the evidence.
    • 8 - Security Risk: The verdict for the evidence is that the behavior has been identified as a Security Risk.
    • 9 - Managed Externally: The verdict for the evidence is Managed Externally, such as in a case management tool.
    • 10 - Duplicate: This evidence duplicates existing evidence related to this finding.
    • 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value.

The normalized verdict (or status) ID of the evidence associated with the security detection. For example, Microsoft Graph Security Alerts contain a verdict enumeration for each type of evidence associated with the Alert. This is typically set by an automated investigation process or an analyst/investigator assigned to the finding.

Constraints

Section titled “Constraints”

At least one of: actor, api, connection_info, data, database, databucket, device, dst_endpoint, email, file, process, query, src_endpoint, url, user, job, script, reg_key, reg_value, win_service

Used By

Section titled “Used By”